Closed
Bug 742222
Opened 12 years ago
Closed 12 years ago
Execution of request.onreadystatechange crashes Firefox
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
mozilla14
Tracking | Status | |
---|---|---|
firefox14 | - | --- |
People
(Reporter: Honza, Assigned: bzbarsky)
References
Details
(Keywords: crash, regression)
Attachments
(2 files)
1.68 MB,
application/x-xpinstall
|
Details | |
1.27 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
This report is based on the following thread: http://groups.google.com/group/mozilla.dev.platform/browse_thread/thread/49c2d30c38c40504/81252a5b7b76b655?hl=en#81252a5b7b76b655 Firebug is overriding <xhr-request>.onreadystatechange and when the callback is executed it calls the original handler, see here: https://github.com/firebug/firebug/blob/572bc4883aa895b2bcac53e555e6f6434aa11ec1/extension/content/firebug/net/spy.js#L819 onreadystatechange is now just a Function (since Fx14) so, it's executed using 'call': var originalHandler = request.onreadystatechange; originalHandler.call(request, event); // <- causes crash Execution of the second line causes Firefox crash. Crash Report: https://crash-stats.mozilla.com/report/index/bp-2fcfa090-a26b-43d6-bbcc-45aef2120403 The first Nightly where the bug appeared: http://hg.mozilla.org/mozilla-central/rev/3e46009daea3 It still appears in today's Nightly: http://hg.mozilla.org/mozilla-central/rev/c410b2d6d570 STR: 1) Install attached Firebug build 2) Enable the Console panel 3) Load www.google.com 4) Type something into the search box -> CRASH Honza
Assignee | ||
Comment 1•12 years ago
|
||
Peter, are we possibly ending up returning the content function to chrome code without putting a cross-compartment wrapper on it?
Blocks: 740069
Severity: normal → critical
tracking-firefox14:
--- → ?
Component: XPConnect → DOM
Keywords: crash,
regression
QA Contact: xpconnect → general
Assignee | ||
Comment 2•12 years ago
|
||
Yup. In a debug build, I get: Assertion failure: compartment mismatched, at ../../../mozilla/js/src/jscntxtinlines.h:156 (gdb) frame 7 #7 0x135c8876 in js::CallJSNative (cx=0x22c529d0, native=0x16179ec0 <get_onreadystatechange>, args=@0xbfff65b4) at jscntxtinlines.h:316 316 assertSameCompartment(cx, args.rval());
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #612189 -
Flags: review?(peterv)
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → bzbarsky
Whiteboard: [need review]
Reporter | ||
Comment 4•12 years ago
|
||
Perhaps this one is related? Bug 742631 - Crash [@ js::ContextStack::currentScriptWithDiagnostics(unsigned char**)] Honza
Comment 5•12 years ago
|
||
Comment on attachment 612189 [details] [diff] [review] Make sure to JS_WrapValue values being returned for callback types and 'any' types. Would be nice to have a test.
Attachment #612189 -
Flags: review?(peterv) → review+
Assignee | ||
Comment 6•12 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1907c8bf3cae with test.
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla14
Assignee | ||
Comment 7•12 years ago
|
||
Er, https://hg.mozilla.org/integration/mozilla-inbound/rev/1907c8bf3cae
Comment 8•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1907c8bf3cae
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Reporter | ||
Comment 9•12 years ago
|
||
My STR from comment #0 is fixed in http://hg.mozilla.org/mozilla-central/rev/9ca66ce2672f Thanks! Honza
Status: RESOLVED → VERIFIED
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•